Installing CouchDB 2.0 with HTTPS / SSL For Free

Using Haproxy and Certbot/Let’s Encrypt on Centos 7

I’ve wanted to start writing about some of the things I get up to as a web & app developer when running a small business. I try to have a broad knowledge ranging from server setups and configuration to front end coding. It’s nice to keep things interesting and my aim is to try and blog about setups and techniques that aren’t currently just a few taps of your keys on Google to find.

So here it goes…

Background

I’ve been on the search for an easier way to build apps using the latest technology. I began making apps a few years ago with Phonegap/Cordova and re-using some of the codes I use for websites, but it’s become cumbersome. Ionic 2, built on Cordova, looks very promising and is also using Angular 2 which is exciting!

As data is such a key part of apps, I wanted to see what the best solution was to move over from synchronising using a combination of SQLite, PHP and MySQL. I couldn’t find a good 2-way synchronising solution using an RDB which led me onto NoSQL document based databases.

MongoDB only has a master-slave synchronising option, which isn’t ideal, whereas Couchbase requires you to spend a significant chunk of money every year if you want to enable SSL/HTTPS. I really want to make sure that data is all encrypted as it is transferred so I chose to go with CouchDB. It’s created by Apache and seems very powerful. The only downside I can see is nice SQL-like query language which Couchbase and MongoDB have.

Installing CouchDB in conjunction with Haproxy gives will give you a fast and secure installation which is easily expandable with load balancing if you decide to go for a multi-cluster setup:

Installing CouchDB 2.0 on Centos 7

Run CouchDB as a Daemon

Install and configure Haproxy

Setup single node using Fauxton

Installing CertBot / Let’s Encrypt

Creating a Certbot hook for Haproxy

Generate SSL certificate

Setup automatic SSL certificate renewals

Configure Haproxy for HTTPS

The Process

Step 1. Installing CouchDB 2.0 on Centos 7

There are a few articles out there explaining to use the EPEL repo and use yum to install CouchDB — I have EPEL with Centos 7 and there was no CouchDB package available. So a fairly simple manual install is required.

That will have created a file /etc/systemd/system/couchdb.service with the information required to run CouchDB as a service. As described in the original article you can now start CouchDB and run it every time your server reboots

Once put on the right path, this has made the world of difference and is a perfect solution to run CouchDB over HTTPS. I couldn’t find a lot of documentation about it, but I’ve been reliably informed that CouchDB is well tested using Haproxy and it will provide you will load balancing capabilities should you wish to have a multi-cluster setup.

Congratulations, you now have a CouchDB server running over HTTP with an admin user to prevent unauthorised changes.

You could test this by opening a new CLI window and running

curl -X PUT http://YOUR_IP:5984/newdatabase

You’ll receive the response {“error”:”unauthorized”,”reason”:”You are not a server admin.”}

Remember to restrict access to your databases by adjusting their permissions. You can do this via Fauxton. Go to your database then click permissions on the left.

Step 5. Installing CertBot / Let’s Encrypt

Now we have configured CouchDB, we need an SSL certificate. Let’s Encrypt is a “Free, Automated and Open Certificate Authority” — in short it’s amazing! It’ll give you a free SSL certificate (up to 5 certificates every 7 days) and each certificate lasts 90 days.

You will need to have a domain name though.

If you already have a domain elsewhere, just configure a subdomain to point to your server in your DNS settings (if a domain isn’t already pointing to the server’s IP).

Voila. This script will now copy the your certificate including the full CA chain and your private key into a file for Haproxy to use. It will also restart Haproxy so your new certificates will be used straight away.

Step 7. Generating your SSL Certificate

For my purposes, the server I installed CouchDB on is not a web server. Therefore I am able to run CertBot in standalone mode which temporarily starts a server on port 443. For other modes see: the CertBot instructions: https://certbot.eff.org/ (there is automation for Nginx and Apache if you are already running a web server, please be aware you may need to modify the renew-hook script to temporarily shutdown your web services as the certificate is requested and validated)

CertBot will then generate and authorise your certificate. It will save a symbolic link to your generated files here: /etc/letsencrypt/live/YOUR_DOMAIN/. Your “renew-hook” script will copy the contents of the certificate, CA certificate and private key to /home/couchpotato/couchdb/certs/ after they have been created.

Step 8. Configure SSL certificate automatic renewals

Change to a root user and create a CertBot service which will run your renewal script:

Step 9. Configure Haproxy for HTTPS

Now we have our certificate file we can easily reconfigure Haproxy to use SSL encryption. I was directed to this as a standard SSL configuration for Haproxy within the chat: https://gist.github.com/rnewson/8384304